How does Sensu use SSL?

All communication between Sensu services happens via the Sensu transport.
As such, to secure a Sensu installation means to secure communication between
all of the Sensu services and the Sensu transport via SSL encryption. Sensu
can operate without the use of SSL encryption, however, this practice is heavily
discouraged.

SSL-secured Transports

Although the Sensu transport library makes it possible for Sensu to
leverage transport alternatives to RabbitMQ (e.g. Redis), not all transports
offer SSL support (e.g. Redis does not support SSL). For this reason, this
reference document will focus on SSL security for Sensu with the RabbitMQ
transport.

Configuring Sensu + RabbitMQ for SSL encryption

Generate self-signed OpenSSL certificates and CA

The following instructions will generate an OpenSSL certificate authority and
self-signed certificates. Alternatively, please refer to the official RabbitMQ
SSL documentation for a detailed guide on configuring RabbitMQ with SSL.

OpenSSL is required on the machine that will generate the SSL certificates.
Install OpenSSL on your platform:

NOTE: the RabbitMQ documentation will direct you to provide the location of
three certificate files: cacertfile, certfile, and keyfile. These files
correspond to the sensu_ca/cacert.pem, server/cert.pem, and
server/key.pem files generated by the Sensu SSL tool (above). We recommend
copying these files to the RabbitMQ server in a new /etc/rabbitmq/ssl/
directory.

When complete, your /etc/rabbitmq/rabbitmq.config file should contain the
following configuration block:

NOTE: The service command will not work on CentOS 5, the
sysvinit script must be used, e.g. sudo /etc/init.d/rabbitmq-server start

sudo service rabbitmq-server start

Configure Sensu

Install the self-signed SSL certificates generated above by copying the
client/cert.pem and client/key.pem files to the /etc/sensu/ssl/
directory on all systems running Sensu processes (e.g. the Sensu server,
API, and client(s)).

WARNING: please note that by default, RabbitMQ will listen for SSL
connections on port 5671 instead of 5672, so if you are upgrading an
existing configuration, please ensure that all Sensu services are attempting
to connect to RabbitMQ on "port": 5671.

Restart the Sensu services.

Known limitations

You may have noticed that the instructions above only generated a single client
certificate. Ideally, every SSL connection would use a different certificate,
allowing them to be individually revoked. There is currently no way to tell
RabbitMQ to reject a certificate. If the integrity of a certificate is
compromised, it is common practice to regenerate and redistribute the
certificate authority and certificates. This process is greatly simplified with
the use of configuration management tools. In the future, the Sensu project
hopes to be able to provide a better mechanism for distributing individual
certificates and providing fast/simple revocation facilities.

Newsletter

Subscribe to the newsletter to get product updates about Sensu, including notifications when new releases are available. No more than one email per week, no less than one email per month. #monitoringlove.